b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n     MANAGING AND MONITORING OF\n            LOCAL PROFILES\n\n\n     July 2011        A-14-10-20106\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      July 13, 2011                                                               Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Managing and Monitoring of Local Profiles\n           (A-14-10-20106)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           managing and monitoring of nonfinancially significant local profiles1 compromised the\n           security of its information; information systems; personnel; or other resources,\n           operations, or assets.\n\n           BACKGROUND\n           SSA policy states that controlling and limiting access to the Agency\xe2\x80\x99s information\n           systems and resources is the first line of defense in ensuring the confidentiality,\n           integrity, and availability of the Agency\xe2\x80\x99s information technology (IT) resources.2\n\n           SSA\xe2\x80\x99s systems access policy is built on the access control principles of least privilege 3\n           and need to know. 4 SSA uses TOP SECRET, a commercial access control package\n           modified to fit SSA\xe2\x80\x99s unique requirements, to control access to SSA\xe2\x80\x99s computer\n\n\n\n           1\n             We define nonfinancially significant local profiles as profiles that allow access to datasets in applications\n           that would not materially affect SSA\xe2\x80\x99s financial statements. Profiles that allow update or greater access to\n           datasets in applications that would materially affect SSA\xe2\x80\x99s financial statements are defined as financially\n           significant.\n           2\n            SSA, Information Systems Security Handbook (ISSH), version 1.5, section 2.1, Systems Access Policy:\n           Purpose, page 9.\n           3\n             Granting users access only to the applications, transaction screens, and information systems they need\n           to perform their official duties.\n           4\n             The legitimate requirement of a person or organization to know, access, or possess sensitive or\n           classified information that is critical to the performance of an authorized, assigned mission.\n\x0cPage 2 - The Commissioner\n\n\nsystems. The Agency\xe2\x80\x99s users must have an identification (ID), password, and profile 5\nto gain access to SSA\xe2\x80\x99s computer systems.\n\nIDs and Passwords\n\nSSA has two types of IDs: a personal identification number (PIN) for those who need to\naccess SSA\xe2\x80\x99s computer systems and a User Identification (UserID) that is primarily for\ntechnical personnel. Additionally, a subset of technical personnel who may need to\nupdate files or records in a production dataset 6 do so by using an additional, restricted\nUserID, called a secondary UserID. The secondary UserID allows the Agency to\nmonitor those with update access to its production datasets.\n\nProfiles\n\nProfiles provide the Agency an effective way of grouping users who share common\nsystem access needs, while maintaining individual accountability necessary for a secure\ncomputer environment. The Agency groups users by basic job positions and creates\npositional profiles 7 for each of these basic jobs. For example, a claims representative\nhas a claims representative positional profile. To comply with the principles of least\nprivilege and need to know, SSA\xe2\x80\x99s security officers 8 assign a positional profile to every\nuser\xe2\x80\x99s PIN. Security officers assign a positional profile to those users who also\nhave UserIDs.\n\nAnother type of profile is the functional profile, which the security officer can assign to\nPINs or UserIDs. Functional profiles allow users to perform specific duties by granting\naccess to just those transactions or data files needed to accomplish a function not\naddressed by their positional profile. Some users may have multiple functional profiles\nassigned to their PIN/UserID in addition to their positional profile. For example, we\nfound that staff who had functional profiles granting them greater than read access to\ndatasets had more than one functional profile assigned to their UserID.\n\nProfiles can also be categorized by ownership. Profiles are either corporate or local. A\ncorporate profile has gone through multiple component processes and approvals to\nensure proper access to IT resources. A security officer cannot directly create or modify\na corporate profile. Instead, the security officer must submit any profile creation or\nmodification request through the multi-component approval process. The Agency\n\n5\n Standardized Security Profile Project (SSPP), Building Production Dataset Profiles, version 2.2,\npages 2 and 3.\n6\n A dataset is a collection of logically related data records and can contain application data or information\nsuch as source programs, macro libraries, and system variables. Applications that are critical to the\nAgency\xe2\x80\x99s daily business use production datasets.\n7\n    A positional profile determines what access to systems resources each position needs.\n8\n  The security officers are the individuals responsible for implementing SSA's security policies within their\nrespective component.\n\x0cPage 3 - The Commissioner\n\n\nconsiders any profile that goes through this formal, multi-component approval process\nto be locked-down.\n\nUnlike corporate profiles, which are owned by the Office of Telecommunications and\nSystems Operations, each Agency component can create and own local profiles. SSA\ndoes not consider local profiles locked-down because the profile did not go through the\nformal, multi-component approval process. Some components have a business need to\nmaintain a number of local profiles for technical personnel to make emergency changes\nto systems, applications, or data. At times, components use local profiles because the\nformal, multi-component approval process for a corporate profile cannot always be\ncompleted in time to meet the emergencies that occur.\n\nPRIOR AUDIT FINDINGS\n\nOur Fiscal Year (FY) 2009 financial statement audit identified a significant deficiency9 in\nthe Agency\xe2\x80\x99s control of access to its information. We reported that the IT resources\ncontained in both corporate and local profiles were not reviewed periodically. In\naddition, testing disclosed the Agency could not ensure that employees and contractors\nwere given least privilege access to perform their job responsibilities. Thus, we\nrecommended that SSA implement a policy requiring a periodic review of profile\ncontents. In the FY 2010 financial statement audit, Grant Thornton, LLP continued to\nidentify a significant deficiency in SSA\xe2\x80\x99s access controls to its information. 10 The\nauditors continued to report the significant deficiency because the Agency had not\ncompleted its efforts to correct the access control weaknesses identified in FY 2009.\n\nOne of the weaknesses reported in FY 2009 stated that the Agency had not properly\nmanaged and monitored financially significant 11 local profiles. Our testing of FY 2009\nnonfinancially significant local profiles was limited; therefore, we initiated this review to\ndetermine whether nonfinancially significant local profiles compromise the security of\nthe Agency\xe2\x80\x99s information; information systems; personnel; or other resources,\noperations, or assets. Although we limited the focus of this review to SSA\xe2\x80\x99s\nmanagement and monitoring of nonfinancially significant local profiles, our prior financial\nstatement audit work identified similar access control weaknesses for financially\nsignificant profiles (both local and corporate).\n\nTo achieve our objective, we randomly selected and examined a number of\nnonfinancially significant local profiles. For more information about our scope and\nmethodology and our sampling methodology, see Appendices B and C, respectively.\n\n\n\n\n9\n    SSA OIG, Fiscal Year 2009 Financial Statement Audit (A-15-09-19124), November 9, 2009.\n10\n     SSA OIG, Fiscal Year 2010 Financial Statement Audit Oversight (A-15-10-10113), November 8, 2010.\n11\n     See Footnote 1.\n\x0cPage 4 - The Commissioner\n\n\nRESULTS OF REVIEW\nIn our review of SSA\xe2\x80\x99s process for managing and monitoring nonfinancially significant\nlocal profiles, nothing came to our attention that compromised the security of the\nAgency\xe2\x80\x99s information; information systems; personnel; or other resources, operations,\nor assets. Although the population of local profiles decreased from 2009 to 2010 and\nthe Agency plans to decrease them further, any mismanagement of these profiles could\npresent an opportunity for those knowledgeable of access control vulnerabilities to\ncompromise SSA data. We believe the possibility of a compromise will diminish if SSA\nimplements its plans to decrease the number, and restrict the use of, local profiles.\n\nFurther, SSA has made significant improvements regarding its management and\nmonitoring of local profiles; however, more improvements are needed. We found SSA\ncould improve its profile certification process by obtaining nonuse information about\nprofiles. Additionally, SSA needs to develop a secondary UserID control policy that is\nclear, concise, and consistent.\n\nAGENCY PROGRESS TO IMPROVE ITS MANAGEMENT AND MONITORING OF\nPROFILES\n\nSSA made significant improvements regarding its management and monitoring of local\nprofiles. During its work on the FY 2009 Financial Statement Audit, 12\nPricewaterhouseCoopers, LLP found that SSA had approximately 3,500 local profiles\nand 4,600 corporate profiles. In SSA\xe2\x80\x99s FY 2009 Performance and Accountability\nReport, the Agency described a significant deficiency identified by the OIG that related\nto weaknesses in controls over information security. 13\n\nIn August 2010, the Agency\xe2\x80\x99s local profile inventory had decreased to approximately\n1,400, and corporate profiles increased to about 5,700. SSA decreased the local\nprofiles by converting them to corporate status or deleting local profiles no longer\nneeded. Part of the increase in the number of corporate profiles was due to the\nAgency\xe2\x80\x99s efforts to lock down its local profiles and change the ownership status from\nlocal to corporate. From August 27, 2009 to August 23, 2010, SSA reduced the number\nof local profiles by about 60 percent.\n\nAdditionally, the Office of the Chief Information Officer plans to announce in\nCalendar Year 2011 a new policy that will decrease the number and restrict the use of\nlocal profiles. We believe such a strategy would greatly mitigate the concerns identified\nin this report. In addition, the Office of the Chief Information Officer is leading an\nAgency workgroup to recommend revised policy and entity-wide procedures to govern\nthe administration and review of all production security profiles by September 2011. We\nrecommend that the Agency continue with its plans to reduce the number and restrict\nthe use of local profiles.\n\n12\n     SSA\xe2\x80\x99s FY 2009 Performance and Accountability Report, November 2009.\n13\n     Id. at 43.\n\x0cPage 5 - The Commissioner\n\n\nWhile we commend the Agency for taking these actions, improvements are still needed.\nThe following findings contain recommendations needed to improve SSA\xe2\x80\x99s\nmanagement of local profiles. Furthermore, to the extent that any of the conditions\nidentified in the following findings are applicable to the management of corporate\nprofiles, SSA should consider similar corrective action. We found the Agency could\nimprove its profile certification process by obtaining nonuse information about local\nprofiles. Additionally, SSA needs to ensure consistency in its policies related to\nassigning local profiles to secondary UserIDs.\n\nNONUSE OF LOCAL PROFILES, DATASETS, AND USERIDS\n\nAdhering to the principles of least privilege and need to know helps reduce the risk of\ncompromising the confidentiality, integrity, or availability of SSA\xe2\x80\x99s IT resources. One of\nthe ways SSA enforces compliance with these access control principles is through its\nTriennial Certification (TEC) process.\n\nDuring the TEC process, managers review the profiles (including both corporate and\nlocal) assigned to each of their employees and determine whether the employees have\nonly those profiles needed to do their jobs. If the managers determine their employees\nno longer need a profile, they are supposed to instruct the security officer to remove the\nprofiles from the employees\xe2\x80\x99 PINs and UserIDs. SSA performed its most recent large-\nscoped TEC from June 1 to July 30, 2009. After our fieldwork, the Agency informed us\nthat it did a smaller-scoped TEC in 2011. We did not confirm the results of the TEC.\n\nTo examine the status of nonuse of local profiles, we obtained an IT Resource Usage\nReport 14 as of September 2, 2010 from SSA\xe2\x80\x99s Office of Telecommunications and\nSystems Operations for 41 local profiles in our sample of 100. Collectively, these\n41 profiles granted 385 users access to 944 datasets through UserID accounts. Some\nof these 385 users had access to more than 1 of the 41 profiles. We used the data\nobtained to determine the nonuse status as of the date the TEC began.\n\nAlthough SSA conducted its last large-scoped TEC in 2009, we found that some SSA\nemployees had not accessed their local profiles for at least 1 year before the TEC and\nstill had not accessed their local profile over 1 year later when we performed our test.\nMany datasets linked to the employee\xe2\x80\x99s profile had not been accessed for at least\n1 year before the TEC, and these employees still had not accessed the datasets for\nover 1 year after the TEC. In addition, we found several resources that users never\naccessed.\n\n\n\n14\n  The eTrust Cleanup report (IT Resource Usage Report) shows a profile\xe2\x80\x99s and UserID\xe2\x80\x99s last date of\naccess. For any profile or UserID input, the report lists how many days have elapsed since the date of\nlast usage (Date Referenced column). We used the term \xe2\x80\x9cnever used\xe2\x80\x9d if the profile or UserID did not\nhave an entry in the Date Referenced column. In these instances, the report showed how many days\nhave elapsed (Days Unused column) since that resource was registered (Date Loaded column). It is\npossible that those profiles we described as \xe2\x80\x9cnever used\xe2\x80\x9d were used before the date in the Date Loaded\ncolumn.\n\x0cPage 6 - The Commissioner\n\n\nIT Resources with Nonuse Exceeding 1 Year Existed When the 2009 TEC Began\n\nWe found periods of nonuse greater than 1 year for a subset of the 41 profiles that\ncollectively granted access to 944 datasets to 385 users. Table 1 summarizes nonuse\nof these profiles, datasets, and users as of the 2009 TEC.\n\n                  Table 1- Summary of Nonuse by Elapsed Timeframes\n            Description\\Resource Category                       Profiles      Datasets           Users\n                                        15\n     Not used for at least 3 to 4 years as of\n1                                                                   4             282              44\n     June 1, 2009 (Includes 4 profiles never accessed)\n\n     Not used for at least 2 to 3 years as of\n2                                                                   2              43              26\n     June 1, 2009 (Includes 1 profile never accessed)\n\n     Not used for at least 1 to 2 years as of\n3                                                                   3              53              21\n     June 1, 2009 (Includes 1 profile never accessed)\n\n4    Total Nonuse for at least 1 year                               9             378              91\n\n\n    The Nonuse of IT Resources Continued to Increase After the 2009 TEC. Table\n2 compares the nonuse information as of the 2009 TEC and the September 2010 IT\nResource Usage Report. It shows that 15 months after June 1, 2009, the number of\nresources that had elapsed times of at least 1 year had increased. Every profile,\ndataset and user count shown in row 1 of Table 2 is included in the counts in row 2. In\nevery case, if nonuse exceeded 1 year as of the 2009 TEC date, the nonuse continued\nfor another 15 months.\n\n                       Table 2- Comparison of Nonuse Elapsed Time\n          Description\\Resource Category                      Profiles       Datasets           Users\n     Number per Resource Category not used for               9 of 41        378 of 944       91 of 385\n1\n     at least 1 year as of June 1, 2009 (TEC)              (22 percent)    (40 percent)     (24 percent)\n     Number per Resource Category not used for\n                                                             14 of 41       600 of 944       153 of 385\n2    at least 1 year as of as of September 2, 2010\n                                                           (34 percent)    (64 percent)     (40 percent)\n     (IT Resource Usage Report)\n\n   Some IT Resources Had Never Been Accessed. Table 3 compares IT resources\nnever accessed as of the 2009 TEC and the September 2010 IT Resource Usage\nReport. The Table shows an increase in the number of resources never accessed\nduring the 15 months after June 1, 2009.\n\n\n\n\n15\n  The registration date for the four profiles never accessed was June 7, 2005, or almost 4 years before\nthe 2009 TEC start date. The creation dates for these four profiles are earlier than June 7, 2005, so the\nnonuse period for these four profiles could be even longer than 4 years.\n\x0cPage 7 - The Commissioner\n\n\n               Table 3- Comparison of Never Used Time Greater Than 1 Year\n           Description\\Resource Category                   Profiles      Datasets          Users\n   Number per Resource Category never used                  6 of 41       294 of 944     64 of 385\n 1\n   for at least 1 year as of June 1, 2009 (TEC)           (15 percent)   (31 percent)   (17 percent)\n   Number per Resource Category never used\n                                                            7 of 41       443 of 944     101 of 385\n 2 for at least 1 year as of as of September 2,\n                                                          (17 percent)   (47 percent)   (26 percent)\n   2010 (IT Resource Usage Report)\n\nDuring the TEC, we believe employees who have not used their profiles or accessed\ndatasets within their profiles for at least 1 year should have their access\nneeds reviewed. Although we state a nonuse period of at least 1 year as a basis for\ninitiating a review, the Agency should determine what constitutes a nonuse period as a\nbasis for review. Allowing employees access to data not needed for their job\nresponsibilities increases the risk of compromising the confidentiality, integrity, and\navailability of SSA\xe2\x80\x99s data.\n\nWe recommend SSA periodically review the IT Resource Usage Report to identify\nindividuals whose periods of non-access warrant further review for continued access.\nBased on management\xe2\x80\x99s review of the IT Resource Usage Report, management could\nauthorize SO to modify or revoke access, if needed, to comply with the access control\nprinciples of least privilege and need to know.\n\nINCONSISTENCIES IN SECONDARY USERID CONTROL POLICIES AND\nPROCEDURES\n\nOur sample of 100 local profiles included 41 that granted access to datasets for\n384 users. 16 We reviewed 34 of these 41 profiles and found 29 that granted 172 users\nupdate or greater access to datasets through primary UserIDs. 17 The Agency\xe2\x80\x99s ISSH 18\nstates, \xe2\x80\x9cUpdate or greater access is accomplished via a user approved secondary\nUserID which is activated only for the period needed, and this activity is audited.\xe2\x80\x9d\n\nThe policies in the ISSH 19 pertain to all SSA employees and contractors. The ISSH\ndoes not distinguish between local or corporate profiles. We identified 29 profiles where\nSSA did not comply with its ISSH policy 20 because users\xe2\x80\x99 profiles were not assigned to\na secondary UserID. By not assigning a secondary UserID, the Agency had limited\n16\n  The difference of 1 between the 384 users and the 385 users on pages 5 through 7 and Appendix C\nwas due to a timing difference. The profiles had 384 users for the data received in May 2010 and 385\nusers for the data received in September 2010.\n17\n  Of the five remaining profiles, one had been deleted and nonuse data was not available for six users.\nWe found 1 profile where 2 users properly used the secondary UserID and the other 3 granted 32 users\nread-only access to datasets, so no secondary UserIDs were needed.\n18\n     SSA ISSH, supra, Section 2.3, Policy at page 9.\n19\n     SSA ISSH, supra, Section 1.1, Overview of IT Security at page 5.\n20\n     SSA ISSH, supra, Section 2.3, Policy at page 9.\n\x0cPage 8 - The Commissioner\n\n\nability to monitor the users\xe2\x80\x99 activities and therefore the users could make unwarranted\nor erroneous changes to SSA\xe2\x80\x99s data.\n\nThese 29 profiles were issued by 6 components. We asked representatives from each\ncomponent why they did not use the secondary UserID process. For 28 of the\n29 profiles, the representatives stated that the secondary UserID control process did not\napply or its use would hinder productivity. The representative for the remaining profile\nstated that the profile no longer granted update or greater access.\n\nOur review of SSA\xe2\x80\x99s secondary UserID policies and procedures identified conflicting\nscopes and undefined terminology that may have contributed to inconsistent\ncompliance with secondary UserID policy. For example, SSA\xe2\x80\x99s ISSH, Chapter 2,\nprovides limited high-level secondary UserID policy. 21 ISSH, Appendix I, 22 provides\nadditional guidance; however, it contradicts Chapter 2. Chapter 2 requires that\nindividuals granted update or greater access use a secondary UserID. 23 Appendix I\nrestricts the use of the secondary UserID to programmers granted update access to\nproduction datasets via Standardized Production Profiles. 24 In addition, neither\nChapter 2 nor Appendix I defines production datasets or Standardized Production\nProfiles. Appendix I does provide a link to the SSPP Intranet home page for readers to\nfind the secondary UserID procedures.\n\nWe found five pages on SSA's Intranet that provided additional secondary UserID\npolicies and procedures. We determined the policies and procedures used different and\nundefined terms to describe the scope and application of the secondary UserID\nprocess; used different names for the secondary UserID; and disagreed on the type of\naccess (full versus emergency) and duration of the emergency access required for\nassigning secondary UserIDs.\n\nBased on our findings, we believe the Agency should resolve the inconsistencies\namong its policies and procedures and better describe and define the secondary UserID\ncontrol policy, standards, and procedures. We recommend SSA develop a secondary\nUserID control policy that is clear, concise, and consistent.\n\n\n\n\n21\n     SSA ISSH, supra, section 2.3, at page 9.\n22\n     SSA ISSH, Appendix I, Systems Access Security Administration Software, pages I-3 through I-4.\n23\n     SSA ISSH, supra, section 2.3, at page 9.\n24\n     SSA ISSH, supra, Appendix I, Systems Access Security Administration Software, section E at page I-3.\n\x0cPage 9 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nControlling and limiting access to the Agency\xe2\x80\x99s information systems and resources is\nthe first line of defense in ensuring the confidentiality, integrity, and availability of the\nAgency\xe2\x80\x99s information resources. Lack of adequate access controls compromises the\ncompleteness, accuracy, and validity of the information in the system.\n\nIn our review of SSA\xe2\x80\x99s process for managing and monitoring nonfinancially significant\nlocal profiles, nothing came to our attention that compromised the security of the\nAgency\xe2\x80\x99s information; information systems; personnel; or other resources, operations,\nor assets. Although the population of local profiles decreased from 2009 to 2010 and\nthe Agency plans to decrease them further, any mismanagement of these profiles could\npresent an opportunity for those knowledgeable of access control vulnerabilities to\ncompromise SSA data. We believe the possibility of a compromise will diminish if SSA\nimplements its plans to decrease the number, and restrict the use, of local profiles. In\naddition, we did identify some areas that needed improvement.\n\nAs such, we recommend that the Agency:\n\n1. Continue with its plans to reduce the number, and restrict the use, of local profiles.\n\nWe recommend the following strategies to improve SSA\xe2\x80\x99s managing and monitoring of\nlocal profiles. Furthermore, to the extent that any of the conditions identified in this\nreport are applicable to the managing and monitoring of corporate profiles, SSA should\nconsider similar corrective action. As such, we recommend SSA:\n\n2. Periodically review the IT Resource Usage Report to identify individuals whose\n   periods of non-access would warrant further review for continued access. Once\n   reviewed, modify or revoke access, if needed, to comply with the access control\n   principles of least privilege and need to know.\n\n3. Develop a secondary UserID control policy that is clear, concise, and consistent.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix D.\n\n\n\n\n                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Sampling Methodology\nAPPENDIX D \xe2\x80\x93 Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                 Appendix A\n\nAcronyms\nFY       Fiscal Year\nID       Identification\nISSH     Information Systems Security Handbook\nIT       Information Technology\nOIG      Office of the Inspector General\nPIN      Personal Identification Number\nSSA      Social Security Administration\nSSPP     Standardized Security Profile Project\nTEC      Triennial Certification\nUserID   User Identification\n\x0c                                                                        Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Obtained and reviewed pertinent Federal criteria governing access controls.\n\n\xe2\x80\xa2   Obtained and reviewed pertinent Agency policy and procedures governing the\n    authorization, creation, modification, and usage of local profiles.\n\n\xe2\x80\xa2   Interviewed key staff from components reporting to the Deputy Commissioner for\n    Systems.\n\n\xe2\x80\xa2   Met with management in the Office of the Chief Information Officer to discuss profile\n    security policies and procedures.\n\n\xe2\x80\xa2   Obtained extracts from the Agency\xe2\x80\x99s Office of Telecommunications and Systems\n    Operations that contained 2,561 local profiles on the Profile Registry reports as of\n    March 16 and August 23, 2010.\n\n\xe2\x80\xa2   Compared the March 16, 2010 extract to the extract obtained by\n    PricewaterhouseCoopers, LLP on August 27, 2009.\n\n\xe2\x80\xa2   Selected a random sample of 100 local profiles from the March 16, 2010 Profile\n    Registry report (see Appendix C).\n\nWe conducted our audit between January and November 2010 in Baltimore, Maryland.\nWe found the data used for this audit to be sufficiently reliable to meet our audit\nobjective. The primary entity audited was the Office of Systems.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\x0c                                                                       Appendix C\n\nSampling Methodology\nTo accomplish our sampling objective, we:\n\n\xe2\x80\xa2   Obtained a data extract from the Agency of 2,561 local profiles as of\n    March 16, 2010.\n\n\xe2\x80\xa2   Excluded from possible testing 1,028 local profiles in existence as of March 16, 2010\n    that\n       o PricewaterhouseCoopers, LLP tested in Fiscal Year 2009;\n       o appeared to access non-production datasets (names contained such terms as\n          integration, test, or training);\n       o did not access any datasets; and,\n       o security officers had not assigned to any users.\n\n\xe2\x80\xa2   Selected a random sample of 100 local profiles from the audit population of 1,533.\n\n\xe2\x80\xa2   Tested one local profile that granted user identification (UserID) access to datasets\n    from the Human Resources Management Information System.\n\n\xe2\x80\xa2   Obtained a TOP SECRET WHOHAS report for each profile in our sample as of\n    May 24, 2010. This report contains various information about each profile, such as\n    profile creation date, profile ownership, datasets assigned, the dataset access level\n    allowed, and UserIDs granted access.\n\nBased on our analysis of the TOP SECRET data, we determined that 41 of the\n100 profiles in existence as of March 16, 2010 had been accessible to 384 users as of\nMay 24, 2010.\n\nBecause of time constraints, we could not test all 100 profiles in the sample. Instead,\nwe tested the 41 profiles that were still granting access to datasets as of May 24, 2010.\nThe remaining 59 profiles had been modified since our March 16, 2010 data extraction\nand no longer granted users access to datasets.\n\nFrom August through September 2010, we queried the TOP SECRET Administrator\xe2\x80\x99s\nsecurity administration database to determine which of these 41 profiles were still in\nlocal profile status and how many users had secondary UserIDs.\n\nOn September 2, 2010, we obtained a listing from the TOP SECRET eTrust Cleanup\nutility for the 41 profiles, 944 datasets and the 385 users to determine the number of\nelapsed days since a profile was last accessed, a dataset was last accessed via that\nprofile, and a user last accessed that profile.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                        SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      June 24, 2011                                                           Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Dean S. Landis /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Managing and Monitoring of Local Profiles\xe2\x80\x9d (A-14-10-20106)--INFORMATION\n\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Frances Cord at (410) 966-5787.\n\n           Attachment\n\n\n\n\n                                                        D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S MANAGING AND\nMONITORING OF LOCAL PROFILES\xe2\x80\x9d (A-14-10-20106)\n\nRecommendation 1\n\nContinue with its plans to reduce the number, and restrict the use, of local profiles.\n\nResponse\n\nWe agree.\n\nRecommendation 2\n\nPeriodically review the IT Resource Usage Report to identify individuals whose periods of\nnon-access would warrant further review for continued access. Once reviewed, modify or\nrevoke access, if needed, to comply with the access control principles of least privilege and\nneed to know.\n\nResponse\n\nWe agree.\n\nRecommendation 3\n\nDevelop a secondary UserID control policy that is clear, concise, and consistent.\n\nResponse\n\nWe agree.\n\n\n\n\n                                               D-2\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n   Grace Chi, Acting Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Alan Lang, Senior Auditor\n\nFor additional copies of this report, please visit our Website at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-10-20106.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"